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Background and Company Performance 


Founded in 1999, Qualys is a publically traded cloud security and compliance solutions 
provider. Qualys specializes in vulnerability management (VM), but has added Web 
application scanning (WAS), Web application firewall (WAF), malware detection, Qualys 
SECURE Seal, as well as Policy Compliance and Payment Card Industry (PCI) compliance 
to its product and services portfolio. Qualys’ roadmap includes private cloud services, 
exploit consoles for VM and WAS, governance and risk compliance, customizable reporting 
and workflow, polymorphic matching, continuous asset discovery, network threat 
detection, and continuous network monitoring. 


At no moment has network security been an easy proposition. However, as recently as a 
decade ago, the attack surface available to attackers was minimal. Enterprise networks 
had a ubiquitous architecture. An enterprise had a singular firewall and protected mostly 
hardwired Ethernet desktop PCs with the exception of the occasional laptop PCs issued to 
field sales and C-level executives. Servers, routers, and switches were located on- 
premises. 


Security appliances were designed to reflect the needs of protecting a network with this 
flat architecture. Physical appliances were deployed for intrusion detection and prevention 
(IDS/IPS), to log session information and event monitoring (SIEM), for network access 
control (NAC), to conduct penetration tests, and to scan for exploitable configurations 
(VM). On the horizon, technologists could foresee a day when different types of devices 
would require network access; and that the network itself would leverage the Web for 
greater extensibility. Beyond the horizon, Cloud and cloud-computing were close to 
inception. 


However, network security tools and network security budgets can only be designed to 
accommodate the skill and comfort of the security teams that used them. At the time, the 
Web-based, virtual VM appliance Qualys offered in the Qualys Cloud Platform was a radical 
departure from conventional cyber defense tactics. 


Industry Challenges 


Moving to 2014, the condensed world of on-premises networking infrastructure, limited 
device type access to networks, and walled virtual private networks (VPN) has expanded 
in all directions. The term heterogeneous networking can mean the combination of on- 
premises networking, virtual networks, public and private clouds, and hybrid clouds. 
Device type access now means smartphones, tablets, bring your own devices (BYOD), and 
custom-purpose devices. 


Frost & Sullivan is seeing erosion in the silos among network defense technologies 
(firewalls, IDS/IPs, VM, SIEM, NAC, etc.). In fact, bidirectional communication through 
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application programming interfaces (APIs) between technologies is becoming a norm 
rather than an exception. Information sharing between network security platforms 
improves the efficacy of each technology. 


Part of this award citation is attributable to Qualys' product excellence and unique 
approach to IT security that allows customers to discover and scan assets whether its on- 
premise, in the DMZ or other cloud environments. 


The second part of the award citation is in recognition of the Qualys' roadmap. Qualys was 
a true innovator in cloud, as well as on-premise network security. The Qualys architecture 
and API approach has been steady for the last decade as evidenced by significant 
customer adoption of these industrialized solutions. The fundamentals Qualys has 
established architecturally carry over nicely as the company adds to its product portfolio. 


Visionary Innovation & Performance and Customer Impact 


Frost & Sullivan attributes Qualys' growth to a steady stream of best practices and logical 
connections between new and existing products and platforms. 


Criterion 1: Addressing Unmet Needs 


In VM, Qualys offers decentralized scan capabilities utilizing multiple form factors — Web- 
based, virtual appliances, cloud-based, and on-premises scanning appliances. The Qualys 
cloud oriented architecture allows you to have single pane of glass view of the 
vulnerability and compliance posture across multiple locations. An additional benefit of 
working with Qualys cloud oriented architecture is a network security team gains complete 
visibility of its network's endpoints including PCs, switches, databases applications and 
servers. 


Conceptually, Qualys offers scanning alerts based on policy on endpoints. Qualys allows 
customer to create a "golden image" for each endpoint on the network. When Qualys 
performs a scan on an endpoint, the scan checks each endpoint for multiple items (SSL 
certificates, OS, antivirus, and other endpoint characteristics). If an endpoint shows a 
change from what is stored on the golden image, the network security team is alerted. 


Additionally, Qualys has been actively working on the data sovereignty problem. Many 
countries globally have laws that prevent data from leaving their borders. If a company 
has a Web-based or cloud-based solution, data transfer can be problematic. In the last 
couple of years Qualys has built a data center in Europe and has established significant 
relationships with large telcos, which allow for applications to be run within the aegis of an 
organizations' infrastructure never leaving the borders of a country. 
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Scanning large number of different and potentially unknown devices can be risky as 
incorrect packets can bring down network devices. Qualys has an expansive testing 
environment where it tests thousands of devices to ensure high accuracy as well as 
making sure devices are not impacted in their performance. Qualys tracks all defects in its 
scanning solution and reports a six sigma accuracy rate of less than six defects per million 
scans. 


Lastly, Web Application Security. Qualys uses a progressive scan approach which crawls 
Web sites, Web pages, and landing sites for vulnerable applications. On the first day, a 
cycle of Web pages are scheduled for application scanning. A second day scan prioritizes 
new added Web pages, then starts at a rescan of the first day alarms, and ultimately 
resumes scanning from the last known Web page. Each scan cycle begins with new Web 
pages, a scan of alarms, and then resumption of Web scanning from the last known Web 


page. 


Network and WAS scanning can congest a network and affect its performance. Depending 
upon the size of the enterprise, a comprehensive network scan can take 12-18 hours. 
Therefore, if an IT director has his dithers, the director would rather perform network 
scans during maintenance hours. Flexibility in vulnerability and Web application scanning 
gives network security ways to provide continuous security while scheduling scanning 
during regular maintenance hours. 


Criterion 2: Visionary Scenarios 


At its October 2014 Investors' Day Conference, Qualys outlined four strategic initiatives 
where its products and services are at now and are heading. All of these initiatives map to 
the primary theme of continuous security, which enables customers to detect and address 
new security threats on a continuous, always-on basis, rather than scheduled or event- 
driven scenarios. 


e Continuous Asset Discovery is the self-evident concept that a network is only 
secure to the degree that all endpoints can be monitored. Currently, a combination 
of Qualys services can provide active network mapping, identify devices and Web 
applications, tag assets for tracking, and has an asset connector. The roadmap 
includes an asset correlation module, passive discovery of endpoints, agent-based 
discovery from server-side and cloud-based agents, and log-based discovery. 


e Continuous Network Security - Qualys allows it's customers to take a more 
progressive approach to scanning by enabling them to scan their networks 
continiously instead of just a weekly or monthly schedule. This enables 
organizations to continiously monitor their devices againts security and compliance 
policies in real time and be alerted as soon as there is a deviation from the policy. 
With this proactive approach customers do not have to rely on manual analysis of 


© Frost & Sullivan 5 "We Accelerate Growth" 


FORO SUD QC NS SII Ly Lov AON BEST PRACTICES RESEARCH 


scan results to get actionable alerts. This vision is achieved with it's unique bled of 
sensors that include physical, virtual and cloud based scanners as well as agents 
and passive sniifers. With it's cloud based scanners Qualys also offers a unique 
external view of customer perimeter defences and identifying security holes that 
are exposed externally. 


e Continuous Web Security is a work in progress with an early generation WAF 
and the more mature Qualys WAS. The planned additions for Web security in 2015 
include automated virtual patching, Web log analysis and correlation, and a Web 
exploit console. 


e Continuous Threat Protection the fourth strategic initiative is new. and includes 
the development of a continuous threat protection service. The components of 
continuous threat protection are a malware protection (not detection) service, log 
correlation, and real-time indicator of compromise (IOC) querying. 


Criterion 3: Financial Performance 


In 2013, the last full year of financial reporting, Qualys reported $108 million in revenues. 
This revenue figure was up from $91 million in 2012 and was 18% growth year-over-year 
(YoY). Qualys is having even better YoY improvements in 2014. For the first quarter 2014 
revenues were up 22% YoY; second quarter 2014 revenues increased to 23% YoY; and 
third 2014 revenues were up 24% YoY. 


A popular colloquialism used in business quarters is "land and expand." For Qualys, land 
and expand is manifesting in several important ways. The traditional business that Qualys 
has been in for over a decade is VM. VM licenses are growing 10% YoY. In the current 
product portfolio, VM makes up roughly 83% of revenue, with the remaining 17% split 
evenly between WAS and policy compliance. 


WAS and policy compliance revenues are relatively new, but are important future revenue 
contributors. As reported by Qualys, a company that licenses $100,000 in VM services 
could be upsold $75,000 in policy compliance and $50,000 in WAS. 


The dynamic of VM growth combined with WAS and policy compliance services is self- 
perpetuating. The optimism extends further. Qualys believes it is only scratching the 
surface in WAS growth potential and reports larger licensing agreements as customers 
come to trust WAS. Additionally, Qualys said it dedicated the last year to improving 
relationships with managed security service providers (MSSPs), developing global 
outsource providers, and making more resources to value-added resellers (VARs). Qualys 
intimated it could bolster its own sales and marketing team. 


© Frost & Sullivan 6 "We Accelerate Growth" 


FRO Sl NS SII Lov AUN BEST PRACTICES RESEARCH 


Criterion 4: Customer Purchase Experience 


Qualys’ self-described Cloud Oriented Architecture (COA) provides tremendous advantages 
to global businesses. The Qualys COA serves physical, virtual, and cloud data centers. The 
COA can be accessed directly by mobile users and from remote offices. Scalability is a 
structural COA attribute. 


When a company commits to a policy compliance service, the company is making the 
implicit statement that it has an understanding of vertical industries. To offer Payment 
Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and 
Accountability Act (HIPAA), or Sarbanes-Oxley Act (SOX) compliance, Qualys establishes 
a functional understanding of retailers, healthcare providers, and banking industries 
respectively. 


Importantly, Qualys has built product licensing programs for companies with any number 
of employees. The Express Lite Suite is designed for 250 employees or less. The Express 
Suite is designed for 250-5,000 employees. Lastly, the Enterprise Suite is designed for 
more than 5,000 employees. 


Criterion 5: Customer Ownership Experience 


Currently customers come to Qualys for VM, WAS, or policy compliance services. When a 
device enters a network, Qualys can fingerprint it and catalog the device's IP, its OS, 
where it is mapped to, and its security/compliance posture. Even if a company declines 
the policy compliance service, the ability to report all of the endpoints on a network is 
common over many different compliance standards. Additionally, the Qualys scan checks 
on the status of SSL certificates. 


The use of vulnerability management scanning is also a de facto patch management 
system. A network is a very fluid environment and for many different reasons and, for 
example, an OS update or a formal patch may not transmit to all of its intended 
endpoints. Scan results show what is on a given endpoint and that can be compared to 
what should be on an endpoint. 


Customer service relations are often thought of as block and tackle fundamentals and 
sometimes lightly regarded. Qualys internal auditing indicates that phone calls are 
answered within one minute. The average email response time is less than 24 hours. 
Because Qualys has a legacy clientele, at any given time 12,000 members are online and 
are contributing to the knowledge base, offering training advice, and providing third-party 
support. 
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Criterion 6: Brand Equity 


In the January 2014 Frost & Sullivan study Analysis of the Vulnerability Management 
Market: Platform convergence intensifies competition but creates opportunity in growth 
technology (NE36-74), Qualys was found to be the vulnerability management market 
leader with 17.8% share of a $528.6 million market. 


The product concept of the Qualys Cloud Platform has been in the market since 2002. 
While not as recognizable as Microsoft Windows or Intel Pentium, Qualys is a well-known 
brand in VM. 


The cliché about the proof being in the pudding is applicable with Qualys. Qualys 
Chairman and CEO Philippe Courtot explained that Qualys was finally realizing its first $1 
million deals. Internal statistics presented at the Investors’ Day indicate high customer 
satisfaction and loyalty. Qualys reports a 95% retention base of all existing accounts. 
Qualys said that Top 100 customers in 2013 represented roughly 23% of all Qualys 
revenues. Arguably, the most interesting statistic presented was that customers that had 
been with Qualys for 10 years increased their licensing by 544% in the tenth year 
compared to value of the license that was issued in the first year. 


Conclusion 


Network security has been an industry punctuated by secretive product platforms. Perhaps 
no company has demonstrated a greater transparency in describing its product 
development and future roadmap than Qualys. 


Qualys’s dedication to Web-based and cloud-based services is paying massive dividends. 
Driving this is the company’s steadfast vision of having a single point of entry to offer 
scan capabilities across all endpoints of a heterogeneous network. The single point of 
entry approach is a winning strategy for endpoint visibility and as a double-check 
redundancy for patch management and to see if OS and application updates were properly 
installed at the endpoints. 


No company has staked more to its reputation in 2015 than Qualys. On the 2015 
roadmap, Qualys has committed to: 


e Cloud-based log management of vulnerabilities and applications 

e Acorrelation engine that makes its four strategic initiatives possible 
e Scanning using asset risk as a criteria 

e Cloud-agent, passive, and log based discovery 

e Exploit consoles for VM and WAS 


Qualys has a reputation of being able meet deadlines and fulfill on customer needs. Frost 
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& Sullivan appreciates the current Qualys product iterations, and is bullish on Qualys’ 
ambitious roadmap. 


Because of its strong overall performance, Qualys, Inc. is recognized with Frost & Sullivan’s 
2014 Company of the Year Award for Continuous Innovation in Network Security. 


Significance of Company of the Year 

To win the Company of the Year award (i.e., to be recognized as a leader not only in your 
industry, but among your non-industry peers as well) requires a company to demonstrate 
excellence in growth, innovation, and leadership. This kind of excellence typically 
translates into superior performance in three key areas: demand generation, brand 
development, and competitive positioning. These areas serve as the foundation of a 
company’s future success and prepare it to deliver on the two criteria that define the 
Company of the Year Award (Visionary Innovation & Performance and Customer Impact). 
This concept is explored further below. 


* Acquire competitors’ customers *Ħ Earn customer loyalty 


* Increase renewal rates * Foster strong corporate identity 
* Increase upsell rates * Improve brand recall 

* Build a reputation for value * Inspire customers 

* Increase market penetration * Build a reputation for creativity 


$, 
Y 
o 


Company 
of the Year 


COMPETITIVE 


* Stake out a unique market position 

* Promise superior value to customers 

* Implement strategy successfully 

* Deliver on the promised value proposition 
* Balance price and value 
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Understanding Company of the Year 


As discussed above, driving demand, brand strength, and competitive differentiation all 
play a critical role in delivering unique value to customers. This three-fold focus, however, 
must ideally be complemented by an equally rigorous focus on visionary innovation to 
enhance customer value and impact. 


Key Benchmarking Criteria 


For the Company of the Year Award, Frost & Sullivan analysts independently evaluated 
two key factors—Visionary Innovation & Performance and Customer Impact—according to 
the criteria identified below. 


Visionary Innovation & Performance 
Criterion 1: Addressing Unmet Needs 
Criterion 2: Visionary Scenarios Through Mega Trends 
Criterion 3: Implementation Best Practices 
Criterion 4: Blue Ocean Strategy 
Criterion 5: Financial Performance 


Customer Impact 
Criterion 1: Price/Performance Value 
Criterion 2: Customer Purchase Experience 
Criterion 3: Customer Ownership Experience 
Criterion 4: Customer Service Experience 
Criterion 5: Brand Equity 


Best Practice Award Analysis for Qualys, Inc. 
Decision Support Scorecard 


To support its evaluation of best practices across multiple business performance 
categories, Frost & Sullivan employs a customized Decision Support Scorecard. This tool 
allows our research and consulting teams to objectively analyze performance, according to 
the key benchmarking criteria listed in the previous section, and to assign ratings on that 
basis. The tool follows a 10-point scale that allows for nuances in performance evaluation; 
ratings guidelines are illustrated below. 


RATINGS GUIDELINES 


© Frost & Sullivan 10 "We Accelerate Growth" 


FORO SUID Cres Un Ly Lev AON BEST PRACTICES RESEARCH 


The Decision Support Scorecard is organized by Visionary Innovation & Performance and 
Customer Impact (i.e., the overarching categories for all 10 benchmarking criteria; the 
definitions for each criteria are provided beneath the scorecard). The research team 
confirms the veracity of this weighted scorecard through sensitivity analysis, which 
confirms that small changes to the ratings for a specific criterion do not lead to a 
significant change in the overall relative rankings of the companies. 


The results of this analysis are shown below. To remain unbiased and to protect the 
interests of all organizations reviewed, we have chosen to refer to the other key players in 
as Competitor 2 and Competitor 3. 


Measurement of 1-10 (1 = poor; 10 = excellent) 

Visionary 

Innovation & Customer 
Company of the Year Performance Impact Average Rating 
Qualys, Inc. 9.7 9.5 9.6 
Competitor 2 8.4 8.4 8.4 
Competitor 3 8.2 7.6 7.9 


Visionary Innovation & Performance 


Criterion 1: Addressing Unmet Needs 
Requirement: Implementing a robust process to continuously unearth customers’ unmet 
or under-served needs, and creating the products or solutions to address them effectively 


Criterion 2: Visionary Scenarios Through Mega Trends 

Requirement: Incorporating long-range, macro-level scenarios into the innovation 
strategy, thereby enabling “first to market” growth opportunities solutions 

Criterion 4: Implementation Best Practices 

Requirement: Best-in-class strategy implementation characterized by processes, tools, or 
activities that generate a consistent and repeatable level of success. 


Criterion 3: Blue Ocean Strategy 
Requirement: Strategic focus in creating a leadership position in a potentially 
“uncontested” market space, manifested by stiff barriers to entry for competitors 


Criterion 5: Financial Performance 
Requirement: Strong overall business performance in terms of revenues, revenue growth, 
operating margin and other key financial metrics 


Customer Impact 


Criterion 1: Price/Performance Value 
Requirement: Products or services offer the best value for the price, compared to similar 
offerings in the market 
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Criterion 2: Customer Purchase Experience 
Requirement: Customers feel like they are buying the most optimal solution that 
addresses both their unique needs and their unique constraints 


Criterion 3: Customer Ownership Experience 
Requirement: Customers are proud to own the company’s product or service, and have a 
positive experience throughout the life of the product or service 


Criterion 4: Customer Service Experience 
Requirement: Customer service is accessible, fast, stress-free, and of high quality 


Criterion 5: Brand Equity 
Requirement: Customers have a positive view of the brand and exhibit high brand loyalty 


Decision Support Matrix 


Once all companies have been evaluated according to the Decision Support Scorecard, 
analysts can then position the candidates on the matrix shown below, enabling them to 
visualize which companies are truly breakthrough and which ones are not yet operating at 
best-in-class levels. 


High 
Qualys, 
Inc 
Competitor 2 
Competitor 3 
p 
Q 
© 
a 
£ 
E 
i 
o 
E 
o 
Lo] 
[^] 
3 
O 
Low 


Low Visionary Innovation & Performance High 
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The Intersection between 360-Degree Research and Best 


Practices Awards 


Research Methodology 


Frost & Sullivan's 360-degree research 
methodology represents the analytical 
rigor of our research process. It offers a 
360-degree-view of industry challenges, 
trends, and issues by integrating all 7 of 
Frost & Sullivan's research methodologies. 
Too often, companies make important 
growth decisions based on a narrow 
understanding of their environment, 
leading to errors of both omission and 
commission. Successful growth strategies 
are founded on a thorough understanding 
of market, technical, economic, financial, 
customer, best practices, and demographic 
analyses. The integration of these research 
disciplines into the 360-degree research 
methodology provides an _ evaluation 


360-DEGREE RESEARCH: SEEING ORDER IN 
THE CHAOS 


platform for benchmarking industry players and for identifying those performing at best- 


in-class levels. 
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Best Practices Recognition: 10 Steps to Researching, 
Identifying, and Recognizing Best Practices 


Frost & Sullivan Awards follow a 10-step process to evaluate Award candidates and assess 
their fit to best practice criteria. The reputation and integrity of the Awards are based on 
close adherence to this process. 


STEP OBJECTIVE KEY ACTIVITIES OUTPUT 
Monitor Identify award recipient e Conduct in-depth industry Pipeline of candidates who 
1 target and candidates from around the research potentially meet all best- 
screen globe e Identify emerging sectors practice criteria 
e Scan multiple geographies 
Perform comprehensive, 360- e Interview thought leaders and Matrix positioning all 
Perform degree research on all industry practitioners candidates’ performance 
2 360-degree candidates in the pipeline e Assess candidates’ fit with best- | relative to one another 
research practice criteria 


e Rank all candidates 


Invite thought 
3 leadership in 
best practices 


Perform in-depth examination 
of all candidates 


e Confirm best-practice criteria 

e Examine eligibility of all 
candidates 

e Identify any information gaps 


Detailed profiles of all ranked 
candidates 


Initiate 
research 
director 
review 


Conduct an unbiased evaluation 
of all candidate profiles 


e Brainstorm ranking options 

e Invite multiple perspectives on 
candidates' performance 

e Update candidate profiles 


Final prioritization of all 
eligible candidates and 
companion best-practice 
positioning paper 


Assemble Present findings to an expert e Share findings Refined list of prioritized 
5 panel of panel of industry thought e Strengthen cases for candidate award candidates 
industry leaders eligibility 
experts e Prioritize candidates 
Build consensus on award e Hold global team meeting to Final list of eligible award 
Conduct global | candidates’ eligibility review all candidates candidates, representing 
6 industry e Pressure-test fit with criteria success stories worldwide 
review e Confirm inclusion of all eligible 
candidates 
Develop official award e Perform final performance High-quality, accurate, and 
7 Perform consideration materials benchmarking activities creative presentation of 
quality check e Write nominations nominees’ successes 
e Perform quality review 
Reconnect Finalize the selection of the e Review analysis with panel Decision on which company 
8 with panel of best-practice award recipient e Build consensus performs best against all best- 
industry e Select winner practice criteria 
experts 


9 Communicate 
recognition 


Inform award recipient of 
award recognition 


e Present award to the CEO 

e Inspire the organization for 
continued success 

e Celebrate the recipient’s 
performance 


Announcement of award and 
plan for how recipient can use 
the award to enhance the 
brand 


Take strategic 


10 action 


The award recipient may license 
the award for use in external 
communication and outreach to 
stakeholders and customers 


e Coordinate media outreach 

e Design a marketing plan 

e Assess award’s role in future 
strategic planning 


Widespread awareness of 
recipient’s award status 
among investors, media 
personnel, and employees 
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About Frost & Sullivan 


Frost & Sullivan, the Growth Partnership Company, enables clients to accelerate growth 
and achieve best in class positions in growth, innovation and leadership. The company's 
Growth Partnership Service provides the CEO and the CEO's Growth Team with disciplined 
research and best practice models to drive the generation, evaluation and implementation 
of powerful growth strategies. Frost & Sullivan leverages almost 50 years of experience in 
partnering with Global 1000 companies, emerging businesses and the investment 
community from 31 offices on six continents. To join our Growth Partnership, please visit 
http://www.frost.com. 
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